Get the latest security news in your inbox.

Continuing our research on Tibet attacks, we have found more Mac trojans and some interesting MS Office files that deliver them. The group behind these attacks is the same we have been tracking for a while:

A remote code execution vulnerability exists in the way that Microsoft Office Word handles a specially crafted Word file that includes a malformed record. An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

When the victim opens the malicious Word file using Office for Mac, the shellcode writes the malicious payload on disk and executes it, and then opens a benign office file with the following content:

The first stage copies the payload to the __IMPORT section of dyld using memcpy:

About the Author:Jaime BlascoJaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›